debops.docker_registry default variables¶
Sections
APT packages¶
-
docker_registry__base_packages¶
List of APT packages required for Docker Registry service.
docker_registry__base_packages: '{{ ["docker-registry"]
if (not docker_registry__upstream | bool)
else [] }}'
-
docker_registry__packages¶
List of additional APT packages to install with Docker Registry.
docker_registry__packages: []
-
docker_registry__version¶
The version of the installed Docker Registry. This variable is defined automatically by the Ansible local facts and doesn't have to be set manually. You can use this variable in conditional configuration.
docker_registry__version: '{{ ansible_local.docker_registry.version | d("0.0.0") }}'
UNIX environment¶
-
docker_registry__user¶
Name of the UNIX account which will be used by the Docker Registry service.
docker_registry__user: 'docker-registry'
-
docker_registry__group¶
Name of the UNIX group which will be used as the primary group of the Docker Registry service.
docker_registry__group: 'docker-registry'
-
docker_registry__additional_groups¶
List of additional UNIX groups to which the Docker Registry UNIX account should belong.
docker_registry__additional_groups:
- '{{ ansible_local.redis_server.auth_group | d([]) }}'
-
docker_registry__home¶
Path of the UNIX home directory of the Docker Registry service. This is the
default path used by the Debian docker-registry APT package.
docker_registry__home: '/var/lib/docker-registry'
-
docker_registry__comment¶
The GECOS field of the Docker Registry UNIX account.
docker_registry__comment: 'Docker Registry'
-
docker_registry__shell¶
The default shell used by the Docker Registry UNIX account.
docker_registry__shell: '/usr/sbin/nologin'
Docker Registry upstream installation¶
-
docker_registry__distribution_release¶
This variable defines the OS release used to determine if an upstream Docker Registry needs to be installed.
docker_registry__distribution_release: '{{ ansible_local.core.distribution_release | d(ansible_distribution_release) }}'
-
docker_registry__upstream¶
Enable or disable installation of the docker-registry command from the upstream git repository.
docker_registry__upstream: '{{ True
if (docker_registry__distribution_release in
["stretch", "trusty", "xenial"])
else False }}'
-
docker_registry__src¶
Path where source repositories will be stored.
docker_registry__src: '{{ docker_registry__home + "/src" }}'
-
docker_registry__gopath¶
Path where Go package builds and cache will be stored.
docker_registry__gopath: '{{ docker_registry__home + "/go" }}'
-
docker_registry__git_dest¶
Path where the Docker Registry upstream repository will be checked out.
docker_registry__git_dest: '{{ docker_registry__gopath + "/src/"
+ docker_registry__git_repo.split("://")[1] }}'
-
docker_registry__git_dir¶
Path where the Docker Registry .git/ directory will be stored.
docker_registry__git_dir: '{{ docker_registry__src + "/" + docker_registry__git_repo.split("://")[1] }}'
-
docker_registry__git_gpg_key¶
The fingerprint of the GPG key used to sign Docker Registry upstream releases.
docker_registry__git_gpg_key: '8C7A 111C 2110 5794 B0E8 A27B F58C 5D0A 4405 ACDB'
-
docker_registry__git_repo¶
The URL of the upstream Docker Registry git repository.
docker_registry__git_repo: 'https://github.com/docker/distribution'
-
docker_registry__git_version¶
The branch/tag of the Docker Registry git repository to check out.
docker_registry__git_version: 'v2.7.1'
-
docker_registry__binary¶
The absolute path where the Docker Registry upstream binary will be installed to; alternatively, the path of the Docker Registry binary installed by the APT package.
docker_registry__binary: '{{ "/usr/local/bin/docker-registry"
if docker_registry__upstream | bool
else "/usr/bin/docker-registry" }}'
Web server configuration¶
-
docker_registry__fqdn¶
The Fully Qualified Domain Name of the Docker Registry service.
docker_registry__fqdn: 'registry.{{ docker_registry__domain }}'
-
docker_registry__domain¶
The DNS domain used as a base for the Docker Registry FQDN address.
docker_registry__domain: '{{ ansible_domain }}'
-
docker_registry__backend_port¶
The TCP port on which the Docker Registry backend service listens for connections.
docker_registry__backend_port: '5070'
-
docker_registry__allow¶
List of IP addresses or CIDR subnets which are allowed to connect to the Docker Registry service by the webserver. If this list is empty, anybody can connect and access the service.
docker_registry__allow: []
-
docker_registry__max_upload_size¶
Specify maximum size of an upload allowed by the webserver. If set to 0,
the maximum limit is disabled.
docker_registry__max_upload_size: '4G'
-
docker_registry__basic_auth¶
Enable or disable HTTP Basic Authentication in the webserver frontend. If the GitLab Container Registry integration is enabled, the internal HTTP Basic Auth is disabled.
docker_registry__basic_auth: '{{ False
if docker_registry__token_enabled | bool
else True }}'
-
docker_registry__basic_auth_realm¶
The HTTP Basic Auth realm used by Docker Registry service.
docker_registry__basic_auth_realm: 'Docker Registry'
-
docker_registry__basic_auth_name¶
Name of the htpasswd file stored in the
/etc/nginx/private/ directory which contains HTTP Basic Auth
credentials.
docker_registry__basic_auth_name: 'docker-registry'
-
docker_registry__basic_auth_users¶
List of user accounts which will be allowed access to the Docker Registry
service via HTTP Basic Auth. The passwords will be automatically generated by
the debops.nginx role and stored in the secret/ directory on
Ansible Controller. See debops.secret role for more details.
docker_registry__basic_auth_users: '{{ ansible_local.core.admin_users | d([]) }}'
-
docker_registry__basic_auth_except_get¶
If True then GET requests will not require authentication.
Even with successful authentication, Docker images can only be pushed to a
path that includes the machines hostname thus having some audit chain to the
build server that build the image.
docker_registry__basic_auth_except_get: False
Filesystem storage configuration¶
-
docker_registry__storage_dir¶
Absolute path of the local filesystem storage directory used by the Docker Registry service.
docker_registry__storage_dir: '{{ (ansible_local.fhs.data | d("/srv"))
+ "/" + docker_registry__user + "/storage" }}'
-
docker_registry__storage_mode¶
The UNIX permissions of the local filesystem storage directory.
docker_registry__storage_mode: '0755'
Redis Server integration¶
-
docker_registry__redis_enabled¶
Enable or disable support for Redis Server cache.
docker_registry__redis_enabled: '{{ ansible_local.redis_server.installed | d() | bool }}'
-
docker_registry__redis_host¶
The FQDN address of the Redis Server instance to use by Docker Registry.
docker_registry__redis_host: '127.0.0.1'
-
docker_registry__redis_port¶
The TCP port of the Redis Server instance which should be used by Docker Registry.
docker_registry__redis_port: '{{ ansible_local.redis_server.port | d("6379") }}'
-
docker_registry__redis_password¶
The password of the Redis Server instance which should be used by Docker Registry.
docker_registry__redis_password: '{{ ansible_local.redis_server.password | d("") }}'
-
docker_registry__redis_db¶
The Redis Server database ID to use by the Docker Registry.
docker_registry__redis_db: 0
Token-based authentication¶
The Docker Registry supports token-based authentication, which allows external services to authenticate Docker clients to the Registry.
By default GitLab is used as an authentication service, but other roles that implement the needed Ansible local facts can be used as well. Specify the role name in this variable to use its facts as a data source.
docker_registry__token_provider: 'gitlab'
-
docker_registry__token_enabled¶
Enable or disable support for token-based authentication.
docker_registry__token_enabled: '{{ True
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
(ansible_local[docker_registry__token_provider].registry | d()) | bool)
else False }}'
-
docker_registry__token_fqdn¶
The Fully Qualified Domain Name of the authentication service website. This will be used to redirect HTTP clients that open the main page of Docker Registry to point them to an useful user interface instead.
docker_registry__token_fqdn: '{{ ansible_local[docker_registry__token_provider].fqdn
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].fqdn | d())
else ("code." + docker_registry__domain) }}'
-
docker_registry__token_realm_url¶
The URL of the authentication service API endpoint, passed to the Docker clients. The clients can use this URL to request signed authentication tokens from the authentication service.
docker_registry__token_realm_url: '{{ ansible_local[docker_registry__token_provider].registry_token_realm_url
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_token_realm_url | d())
else "" }}'
-
docker_registry__token_issuer¶
The authentication service token issuer string, included in the issued tokens. This value needs to be the same in the authentication service configuration file.
docker_registry__token_issuer: '{{ ansible_local[docker_registry__token_provider].registry_token_issuer
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_token_issuer | d())
else "" }}'
-
docker_registry__token_service¶
Name of the authentication service in Docker Registry, used in the URLs passed to the authentication source API endpoint.
docker_registry__token_service: '{{ ansible_local[docker_registry__token_provider].registry_token_service
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_token_service | d())
else "" }}'
-
docker_registry__token_pki_path¶
The absolute path to the root of the PKI infrastructure, managed by the debops.pki Ansible role.
docker_registry__token_pki_path: '{{ ansible_local.pki.path | d("/etc/pki/realms") }}'
-
docker_registry__token_pki_realm¶
Name of the PKI realm used by the authentication service to sign the authentication tokens that provide access to the Docker Registry.
docker_registry__token_pki_realm: '{{ ansible_local[docker_registry__token_provider].registry_pki_realm
if (ansible_local | d() and ansible_local[docker_registry__token_provider] | d() and
ansible_local[docker_registry__token_provider].registry_pki_realm | d())
else "domain" }}'
-
docker_registry__token_pki_crt¶
The name of the file in the PKI realm which contains the X.509 certificate.
docker_registry__token_pki_crt: 'default.crt'
-
docker_registry__token_certificate¶
Absolute path of the file which contains the X.509 certificate that can be used by Docker Registry to authenticate the tokens signed by the authentication service, sent by the Docker clients.
docker_registry__token_certificate: '{{ docker_registry__token_pki_path + "/"
+ docker_registry__token_pki_realm + "/"
+ docker_registry__token_pki_crt }}'
Docker Registry configuration¶
The variables below define configuration of the Docker Registry service. See docker_registry__config for more details.
-
docker_registry__config_file¶
Absolute path of the Docker Registry configuration file.
docker_registry__config_file: '/etc/docker/registry/config.yml'
-
docker_registry__original_config¶
The original configuration of the Docker Registry service. Based on: https://github.com/docker/distribution/blob/master/cmd/registry/config-example.yml
docker_registry__original_config:
- name: 'original-config'
config:
version: '0.1'
log:
fields:
service: 'registry'
storage:
cache:
blobdescriptor: 'inmemory'
http:
addr: ':5000'
headers:
'X-Content-Type-Options': [ 'nosniff' ]
health:
storagedriver:
enabled: True
interval: '10s'
threshold: 3
- name: 'original-storage'
config:
storage:
filesystem:
rootdirectory: '/var/lib/registry'
-
docker_registry__default_config¶
Default configuration for Docker Registry defined by the role.
docker_registry__default_config:
- name: 'default-http'
config:
http:
addr: '127.0.0.1:{{ docker_registry__backend_port }}'
- name: 'original-storage'
state: 'absent'
- name: 'default-storage'
config:
storage:
filesystem:
rootdirectory: '{{ docker_registry__storage_dir }}'
delete:
enabled: True
- name: 'default-redis'
state: '{{ "present" if docker_registry__redis_enabled | bool else "absent" }}'
config:
redis:
addr: '{{ docker_registry__redis_host + ":" + docker_registry__redis_port }}'
password: '{{ docker_registry__redis_password }}'
db: '{{ docker_registry__redis_db }}'
storage:
cache:
blobdescriptor: 'redis'
- name: 'default-token'
state: '{{ "present" if docker_registry__token_enabled | bool else "absent" }}'
config:
auth:
token:
realm: '{{ docker_registry__token_realm_url }}'
issuer: '{{ docker_registry__token_issuer }}'
service: '{{ docker_registry__token_service }}'
rootcertbundle: '{{ docker_registry__token_certificate }}'
-
docker_registry__config¶
The Docker Registry configuration defined on all hosts in the Ansible inventory.
docker_registry__config: []
-
docker_registry__group_config¶
The Docker Registry configuration defined on hosts in a specific Ansible inventory group.
docker_registry__group_config: []
-
docker_registry__host_config¶
The Docker Registry configuration defined on specific hosts in the Ansible inventory.
docker_registry__host_config: []
-
docker_registry__combined_config¶
The variable which combines all of the other Docker Registry configuration variables and is used in the configuration template.
docker_registry__combined_config: '{{ docker_registry__original_config
+ docker_registry__default_config
+ docker_registry__config
+ docker_registry__group_config
+ docker_registry__host_config }}'
Garbage collector configuration¶
-
docker_registry__garbage_collector_enabled¶
Enable or disable support for Docker Registry garbage collector script.
docker_registry__garbage_collector_enabled: True
-
docker_registry__garbage_collector_interval¶
Specify the interval in which the Docker Registry UNIX account will perform
garbage collection using a cron script. Supported intervals:
hourly, daily, weekly, monthly.
docker_registry__garbage_collector_interval: 'daily'
Configuration for other Ansible roles¶
-
docker_registry__etc_services__dependent_list¶
Configuration for the debops.etc_services Ansible role.
docker_registry__etc_services__dependent_list:
- name: 'docker-registry'
port: '{{ docker_registry__backend_port }}'
comment: 'Docker Registry'
-
docker_registry__keyring__dependent_gpg_keys¶
Configuration for the debops.keyring Ansible role.
docker_registry__keyring__dependent_gpg_keys:
- user: '{{ docker_registry__user }}'
group: '{{ docker_registry__group }}'
home: '{{ docker_registry__home }}'
id: '{{ docker_registry__git_gpg_key }}'
state: '{{ "present" if docker_registry__upstream | bool else "absent" }}'
-
docker_registry__python__dependent_packages3¶
Configuration for the debops.python Ansible role.
docker_registry__python__dependent_packages3:
- 'python3-yaml'
-
docker_registry__python__dependent_packages2¶
Configuration for the debops.python Ansible role.
docker_registry__python__dependent_packages2:
- 'python-yaml'
-
docker_registry__nginx__dependent_maps¶
Map configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_maps:
- name: 'docker_registry_headers'
map: '$upstream_http_docker_distribution_api_version $docker_distribution_api_version'
mapping: |
'' 'registry/2.0';
state: 'present'
-
docker_registry__nginx__dependent_upstreams¶
Upstream configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_upstreams:
- name: 'docker-registry'
server: '127.0.0.1:{{ docker_registry__backend_port }}'
-
docker_registry__nginx__dependent_htpasswd¶
HTTP Basic Auth password configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_htpasswd:
name: '{{ docker_registry__basic_auth_name }}'
users: '{{ docker_registry__basic_auth_users }}'
-
docker_registry__nginx__dependent_servers¶
Server configuration for the debops.nginx Ansible role.
docker_registry__nginx__dependent_servers:
- name: '{{ docker_registry__fqdn }}'
filename: 'debops.docker_registry'
allow: '{{ docker_registry__allow }}'
auth_basic: '{{ False
if (docker_registry__basic_auth_except_get | bool)
else (docker_registry__basic_auth | bool) }}'
auth_basic_realm: '{{ docker_registry__basic_auth_realm }}'
auth_basic_name: '{{ docker_registry__basic_auth_name }}'
options: |
client_max_body_size {{ docker_registry__max_upload_size }};
# required to avoid error HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
chunked_transfer_encoding on;
location_list:
- pattern: '/'
options: |
{% if docker_registry__token_enabled | bool %}
return 307 $scheme://{{ docker_registry__token_fqdn }}/;
{% else %}
return 307 /v2/;
{% endif %}
- pattern: '/v2/'
options: | # noqa jinja[spacing]
# Do not allow connections from docker 1.5 and earlier
# docker pre-1.6.0 did not properly set the user agent on ping, catch "Go *" user agents
if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
return 404;
}
{% if docker_registry__basic_auth_except_get | bool %}
set $auth_basic "{{ docker_registry__basic_auth_realm }}";
if ($request_method ~* "^(GET|HEAD)$") {
set $auth_basic "off";
}
if ($force_authentication) {
set $auth_basic "{{ docker_registry__basic_auth_realm }}";
}
auth_basic $auth_basic;
auth_basic_user_file {{ nginx_private_path + "/" + docker_registry__basic_auth_name }};
set $auth_status "deny";
if ($request_uri ~* "^/v2/([^/]+)/") {
set $user_path $1;
}
if ($remote_user = $user_path) {
set $auth_status "grant";
}
if ($request_method ~* "^(GET|HEAD)$") {
set $auth_status "grant";
}
if ($auth_status != "grant") {
return 401;
}
{% endif %}
# If $docker_distribution_api_version is empty, the header will not be added.
# See the map directive above where this variable is defined.
add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
proxy_pass http://docker-registry;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
state: 'present'